Author Archives: Charles Cresson Wood

One Security Policy Document Or A Series Of Documents?

Plan First: We all know that it’s advisable to create a plan before undertaking a large and complex project. For instance, most reasonable people would not consider building a modern residential house, with plumbing, heating, electrical, lighting, and communications systems, if they did not first have a clear and specific plan (aka blueprint). Of course, […]

Selling Management On Information Security Policies

Laws & Regulations: This post is for organizations that could use help raising the level of management awareness and support for information security policies. From the get-go, let’s be clear that this post is not for established organizations that are already far along when it comes to their information security efforts. They will have long [...]

A Security Policy Standard of Due Care

Divergent Directions: Looking back over the last 30+ years of my work in information security, I see two diverging trends when it comes to defining the information security-related standard of due care. By the “standard of due care,” in this column I mean the actions that management needs to take (for instance the controls that [...]

The Information Security Policy Hierarchy

Developing A Governing Policy & Subsidiary Policies A Maturing Field: As the discipline of information security becomes more sophisticated, codified, standardized, and mature, it is not surprising that the old-fashioned approach to information security policy writing is no longer appropriate. We are talking here about the “one-size-fits-all” information security policy that is supposed to apply […]

Levels Of Maturity In The Security Policy Development Process

Litmus Test: One high-tech company that this author was working with recently was considering the acquisition of another high-tech company. In order to gauge the sophistication of the information security effort at the target company, top management at the acquiring company requested a copy of the information security policy. The policy document in that moment [...]

Five Reasons Why Security Policies Don’t Get Implemented

This article will explore five serious problems preventing information security policies from being implemented, even though these policies may have been written with the best of intentions. Cutting across all five of these causative factors is a theme involving a lack of understanding about the nature of policies. All too often policies are written in […]

Using Security Policies As Catalysts For Internal Change

Security Quality Control: There is much to recommend about the ISO 9000 quality control approach as it is applies to the discipline of information security. In fact the ISO 27001 standard, entitled Information Security Management System (ISMS), in large measure reflects that same methodology. In other words, ISO 27001 suggests a continuous improvement approach to [...]

Why Your Organization Needs To Customize Policy Templates

Please Don’t Do This A number of years ago I was asked to come in and do an information security risk assessment at a major company. Of course gathering and reading copies of relevant documentation is part of the background work necessary to orient myself to the client’s current information security situation. With this particular […]

When & Why To Publicly Reveal Internal Security Policies

Never Say Never: In the absence of further information, written information security policies are by default generally considered information that is "for internal use only" or "restricted." There are many good reasons to refuse to release information security policies to outsiders. But the trend these days is towards greater transparency, greater accountability, and a more [...]